Teleport is software which provides an SSH Jump Host (or Bastion host) service in a secure, modern, way, with support for role-based access control, and single sign-on.

It is a replacement for the ecAccess SSH service, and is operated by the CD Apps team and User Services.

This service is under development. Please continue to use the existing ECAccess service!

Overview

The Teleport service provides:

Single SSH hop from client systems anywhere on the internet to servers inside ECMWF (ecGate, HPC, etc)
Web single sign-on using ECMWF's website and the HID token
Eight hour sessions allowing multiple connections between re-authentication
Integration with standard tools such as the OpenSSH ssh client, and ssh-agent

The single sign-on step is performed using an application called "tsh", every eight hours.

After that you use standard ssh or scp to connect to systems inside ECMWF.

Downloading `tsh`

The tsh application is required to perform user authentication once every eight hours.

tsh is open source, very portable, and has minimal dependencies.

Download from the Gravitational website and place into your $PATH

The binary is available for Linux 32-bit, 64-bit, and ARM, as well as signed packages for MacOS and Windows 64-bit.

MacOS users can also use homebrew for installation (brew install teleport).

User Authentication

Once every eight hours, you will need to refresh your tokens by logging in to the ECMWF website.

First Time

Run tsh, giving the location of our gateway:

tsh login --proxy=shell.ecmwf.int

Your default web browser will open and you should login with your email address, workstation password, and then HID Token code.

Subsequent Occasions

tsh login

If you're already logged in to the ECMWF website, or have recently logged in to this service, the password prompt might be skipped.

Connecting to hosts through the gateway

OpenSSH 7.3 or later has a simple command line option to connect via our gateway (shell.ecmwf.int) to the destination-host:

ssh -J username@shell.ecmwf.int username@destination-host

For example, if your username is ab0 and you wish to connect to ecgate:

ssh -J ab0@shell.ecmwf.int ab0@ecgate

The OpenSSH configuration setting for this is named ProxyJump.

Destination Hosts available

Destination hosts available through the Teleport gateway are:

Linux VDI (both legacy OpenSUSE and CENTOS 8 beta)
Physical office workstations
ecGate
HPC2020 TEMS

Legacy Configuration

For OpenSSH clients older than 7.3, the following will work in your ~/.ssh/config file:

Host ecgate
  Username ab0
  ProxyCommand /usr/bin/ssh -q -W %h:%p shell.ecmwf.int

Configuring passwordless login

With the initial configuration you may be prompted for a password at the destination-host.

For login without a password, add the Teleport certificate authority to your ~/.ssh/authorized_keys file:

curl -fs https://nexus.ecmwf.int/repository/internal-teleport-configs/prod/teleport_user_ca.pub >> ~/.ssh/authorized_keys

This configuration will allow access to any host which mounts the same $HOME directory.

SCP, X11 and Port Forwarding

scp and port forwarding will all work through the Teleport gateway.

X11 forwarding will work in a couple of months when we have an update from the vendor.